Lessons From Yahoo Breach Continue

Yahoo has (not surprisingly) been hit with multiple consumer class action claims relating to its massive data breach. It is unclear exactly when Yahoo uncovered the 2014 breach; news reports characterize the find as "recent." Yahoo also has said that it is cooperating with law enforcement, which could help offset any issues tied to a delay of announcement.

Yahoo actually did a lot of things right, however, that are being eclipsed by the sheer size of the breach:

It encrypted/hashed sensitive password data to make it unusable if compromised.

It segregated financial data (credit cards, for example) from user name/password data by storing it on separate servers so that one attack could not reach all data.

It has brought in law enforcement.

It has stated clearly what the facts currently indicate to be the nature of the attack (a state actor), rather than obfuscate.

The timing will be important to the success of any plaintiffs' claims: if it emerges that Yahoo sat on the 2014 breach for some time after learning of it, the public and any judge or jury is likely to smell a cover-up. Moreover, these cases may prove a good test of newer consumer protection laws in California that are designed to protect privacy even if there is no financial harm caused by a privacy issue. Yahoo does, however, have a reasonably good story to tell if it can focus attention on its planning and preventive efforts rather than on the scale of the problem and the two-year delay between the hack and its revelation.